South Carolina Credit Union Goes After Phishers

A South Carolina credit union is taking what legal experts say is a rare legal approach to combat phishing by filing a civil lawsuit and winning a court order to serve subpoenas on Internet service providers and phone companies related to the case without waiting for a pretrial conference.

The $687 million AllSouth FCU in Columbia, S.C., filed a civil lawsuit last month in U.S. District Court for the District of South Carolina against unknown perpetrators that gained access to at least 125 members’ accounts, according to court documents.

The lawsuit names “John Does” and “Jane Does” as defendants charged with infringing upon AllSouth’s trademark and violating the Racketeer Influenced and Corrupt Organizations Act.

The credit union, which has more than 20 locations and 100,000 members, is seeking an immediate injunction against the fraudsters and treble damages, which are mandatory under RICO statutes and entitle the court to award triple the amount of actual damages.

In effort to identify and locate criminals who launched a SMS phishing scam in early April, a U.S. District Court judge has issued an order granting expedited discovery, allowing AllSouth’s legal team to serve subpoenas on third-party communications providers.

Unlike a criminal case, a civil lawsuit allows different methods of discovering evidence, which is likely why AllSouth has adopted the tactic. AllSouth officials declined to comment, citing the ongoing investigation.

“We have nothing further to add,” said Audrey Brown, the credit union’s vice president of marketing.

According to court records, the fraudsters sent phishing text messages by obtaining a list of AT&T customer names with South Carolina’s (803) area code. Recipients were told their account had limited access or restricted access and were instructed to call a toll-free telephone number.

Callers were greeted with an automated recording stating, “Welcome to AllSouth Federal Credit Union,” and prompted to provide personal information such as account, Social Security and driver’s license numbers, which perpetrators used to log on to AllSouth’s online banking system and transfer money out of victims’ accounts.

The exact number of victims is yet to be determined, but at least 125 credit union members reported to AllSouth that they revealed personal data during the phishing scam, according to court documents.

It’s rare for judges in civil cases to grant an expedited discovery order to issue subpoenas to third-party service providers, according to legal experts, but this is not the first time a financial institution has utilized the tactic in a phishing case.

Records of communications providers are given extra protection by the "Stored Communications Act" portion of the Electronic Communications Privacy Act of 1986, but the laws have gotten murky with increasing technology such as social media and cloud storage.

"It’s my impression that civil discovery requests to third-party service providers for the content of communication under the Electronic Communications Privacy Act are very unusual and may not be allowed by the statute," Chris Calabrese, legislative counsel for the American Civil Liberties Union, said in email to Credit Union Times.

The court order granted to AllSouth states that the motion for expedited discovery was allowed pursuant to Rule 26(d) of the Federal Rules of Civil Procedure. In 2006, a district court in Nebraska granted a motion to allow First National of Nebraska to conduct immediate discovery on non-party ISPs for the limited purpose of identifying and locating unknown defendants that conducted a phishing scam.

Time is of the essence, according to AllSouth’s motion, because “the information sought from some of the third parties through the proposed discovery is in electronic format, and, therefore, it is reasonable to expect that such information will eventually be purged by the third-parties in accordance with a data retention policy. Plaintiff will suffer irreparable harm if discovery is not permitted, as the defendants will likely never be identified, the number of victims will increase, and AllSouth’s reputation will continue to be damaged.”

“Banks and credit unions need to maintain their security protocols at the highest levels and also need to educate their consumers about identity theft,” said Edmund Mierzwinski, consumer program director with the U.S. Public Interest Research Group, a national non-profit consumer advocacy organization.